Minimize Entity Expansion Threshold for GlideXMLUtil Scriptable

Release version: Australia

Updated March 12, 2026

1 minute to read

Use the glide.xmlutil.max_entity_expansion property to change the maximum entity expansion limit to a smaller number.

The glide.xmlutil.max_entity_expansion system property controls the maximum amount of entity expansion within an XML Parser. If glide.xmlutil.max_entity_expansion isn't set to the recommended value of 3000 or less, then the GlideXMLUtil parsing scriptable may be vulnerable to denial of service attacks.

Ensure that the property glide.xmlutil.max_entity_expansion is set to 3000 or less.

If the instance is on Washington or later, the default implied value is 3000 if the System Properties [sys_properties] record does not exist. If the instance is not on Washington or later, the recommendation is for the instance admin to create a System Properties [sys_properties] and set the value to 3000.

Note:

500 is the default minimum imposed by the ServiceNow AI Platform, which is considered to be a safe threshold.

More information


Attribute	Description
Configuration name
Configuration type	System Properties (/sys_properties_list.do)
Data type	Integer
Recommended value	Less than or equal to 3000
Default value	<none>
Fallback value	3000
Category	Validation, sanitization, and encoding
Security risk	Severity score: 5.3 CVSS rating: Medium Security risk details: A Denial-of-Service (DoS) vulnerability poses a security risk by allowing attackers to overwhelm or crash a system, rendering it unavailable to legitimate users and potentially disrupting critical operations.
Functional impact	If the customization is using large entity expansion, then, the ServiceNow AI Platform might block further processing.
Dependencies and prerequisites	None

To learn more about adding or creating a system property, see Add a system property.